The declarative security in Java EE is indeed no suited for such requirements. The problem of security can be split in two:
- authentication
- authorization
I had similar requirement once. We used the built-in authentication to have the principal set and relied then on the default Java EE login mechanisms. But we ended up managing the authorization part manually at the applicative-level.
Indeed, even the roles that will be loaded and associated with the principal (isUserInRole
for the web and isCallerInRole
for the EJB) need to be specified in web.xml
or ejb.xml
which doesn't provide enough flexibility. We had then to load the roles manually (according to the principal) from LDAP or ActiveDirectory. We then used EJB3 interceptors and Servlet filter to perform the security checks ourselves.
I would however strongly suggest to stick to a Role-based access control (RBAC) and not implement something more fancy. There are several frameworks that can help to deal with home-made RBAC.
We also had a look at JSecurity and Acegi Security and they seemed interesting.